Configuring the AREA LDAP plug-in

For individual servers on a local level, you can use the AREA LDAP Configuration form in the AR System Administration Console to configure the AREA LDAP plug-in. If a local value does not exist, the form displays the global-level configuration. If you modify the value on this form, the local-level configuration value is modified.

For example: If a configuration shows a global-level value and you modify the value by using this form, the local-level value is created for the configuration.

Related topic

Encrypting-AR-System

Before you begin

  • Set up user and group information in an LDAP directory service
  • (On-premises only) Use cacert route through Configmaps and apply the CA certificates.
    For more information, see Applying security certificates to your applications     in BMC Helix IT Service Management Deployment documentation.
  • .

Use the following procedure to enter the AREA LDAP Configuration form settings. In a server group environment, you must apply these settings on each server.

Best Practice
We recommend that you se the AR System Management Console to view and configure the AREA LDAP plug-in at a global level. This screen provides a single location to manage configuration settings across the server group. To access the Server Group Configuration screen:

  1. In a browser, enter the following URL address:
    http://midTierServerInstallDir/arsys/forms/serverName
  2. Log in.
  3. In the AR System Management Console, select AR System server Group Console > Server Group Configuration.

For more information about setting global and local level configurations, see Managing AR Server Group components by using global and local level configurations.

 To configure settings for the AREA LDAP plug-in

  1. Log in to Mid Tier.
  2. Select AR System Administration > AR System Administration Console
  3. Select System > LDAP > AREA Configuration.
    The AREA LDAP Configuration form is displayed:

    AREA-LDAP-config-1.gif
    If AREA LDAP server configurations are configured for your AR System server, they are displayed in the Configuration List at the top of the form. When AR System attempts to authenticate a user, it searches each LDAP server configuration in the list.
  4. In the Configuration List, perform one of the following actions:
    • To create a configuration, click Clear Fields. All fields in the form are cleared.
    • To modify a configuration, select it in the list. The fields in the form display data of the selected configuration.
  5. In the Directory Service Information section, enter or change the values in the following fields:
    • Host Name: Enter the name of the server on which the directory service is hosted.
    • Port Number: Enter the port number on which the directory service is listening.

    • Bind User: Enter the distinguished name for the configuration. The distinguished name is the name for a user account that has read permissions and can search the directory service for user objects.

    • Bind Password: Enter the password for the distinguished name specified for the Bind User. The maximum length is 30 characters.
    • Use Secure Socket Layer: Select Yes to specify an SSL connection to the directory service. The Certificate Database box is enabled.
    • Certificate Database: Enter the absolute path to the certificate datastore and the name of the .jks fil. For example: C:\certificate\certdb.jks.  
    • Failover Timeout: Enter the number of seconds in which the directory service must respond to the plug-in server before an error is returned. The minimum value is 0 (connection must be made immediately). This value must not be higher than the value of the External-Authentication-RPC-Timeout parameter.

    • Chase Referral: When the AREA LDAP plug-in sends a request to a directory server, the server might return a referral to the plug-in if some or all of the requested information are stored on another server. Attempting to chase the referral by connecting to another server can cause authentication problems.
      By default, referrals are not chased. Select Yes to enable automatic referral chasing by the LDAP client. Select No to prevent referral chasing. This option is only for Microsoft Active Directory servers. Select No for all other directory servers.

      Important

      AR System does not support referrals that use a domain name rather than a hostname as a reference. When Active Directory automatically configures referrals (such as when a trust or parent/child domain relationship is created), it uses a domain name in the referral. Therefore, such referrals do not work in AR System even when Chase Referral is set to Yes.

  6. In the User and Group Information section, enter or change the values in the following fields:
    • User Base: Enter the base name to search for users in the directory service. For example: o=remedy.com.
    • User Search Filter: Enter the search criteria for locating user authentication information. You can enter the following keywords in these boxes:
      At run time, the keywords are replaced by the values they represent.
      • $\USER$: Name of the user. For example: uid=$\USER$
      • $\DN$: Distinguished name of the user
      • $\AUTHSTRING$: This box contains the values that the user enters in the Authentication String box when they log in
      • $\NETWORKADDR$: IP address of the AR System client accessing the AR System server
    • Group Membership: If this user belongs to a group, select Group Container; else, select None.
      If you select None, the Group Base, Group Search Filter, and Default Group(s) fields are disabled.
    • Group Base: Enter the base name to search for groups in the directory service that includes the user who is logging in; for example, ou=Groups.
      AR System performs a subtree search within the group you specify.
    • Group Search Filter: Enter the search criteria for locating the groups to which the user belongs. For the user's distinguished name, enter the $\DN$ keyword; for example, uniqueMember=$\DN$. At run time, $\DN$ is replaced with the distinguished name.
    • Default Group(s): Enter a default group. If the search finds no matching groups, the group specified in this box is used.
  7. In the Defaults and Mapping Attributes to User Information section, enter the user information in both the LDAP Attribute Name column and Default Value If Not Found In LDAP column.
    In the LDAP Attribute Name column, enter the corresponding LDAP attribute names for the AR Systemfields. In the Default Value If Not Found In LDAP column, select or enter a default value in each box if no value is found in the directory service. 

    • License Mask: Enter the number for the license mask.
      The license mask specifies whether the AREA plug-in overrides existing information from the User form for write and reserved licenses. It also specifies which license types are overridden by the value returned by the plug-in. Use a number from the following table:
      An X in a license type column means that the value returned from the plug-in overrides that license in the User form for the specified user.

      License mark number

      Overridden license types

      Application

      FTS

      Reserved

      Write

      0

      -

      -

      -

      -

      1

      -

      -

      -

      X

      2

      -

      X

      -

      -

      3

      -

      X

      -

      X

      4

      -

      -

      X

      -

      5

      -

      -

      X

      X

      6

      -

      X

      X

      -

      7

      -

      X

      X

      X

      8

      X

      -

      -

      -

      9

      X

      -

      -

      X

      10

      X

      X

      -

      -

      11

      X

      X

      -

      X

      12

      X

      -

      X

      -

      13

      X

      -

      X

      X

      14

      X

      X

      X

      -

      15

      X

      X

      X

      X

    • Write License: Enter the type of AR System license assigned to the user (Read, Floating, or Restricted Read).
    • Reserved License: Enter the license type to select for a reserved license.
    • Application License: Enter the name of the application license granted to the user.
    • Email Address: Enter the default email address to notify the user.
    • Default Notification Mechanism: Enter the notification method used in your environment (none, alert, email, or default).
    • Roles List: Enter the name of the LDAP attribute that lists the user roles.
      For example: The roledn attribute contains role definitions for some LDAP systems. Add any default roles in the Default Value If Not Found In LDAP box.
  8. Click Save Current Configuration.
    The system updates the AR Systemconfiguration settings with the parameters you specified in this form.
  9. (Optional) Perform the following to change the order in which AR System searches the listed configurations when attempting to authenticate a user:
    1. In the Configuration List, select the appropriate configuration.
    2. Click one of the following buttons:
      • Decrease Order: Moves the selected configuration down in the authentication attempt order.
      • Increase Order: Moves the selected configuration up in the authentication attempt order.
    3. For the changes to take effect, restart your AR System server.

To add a new configuration for the AREA LDAP plug-in

You can add multiple configurations for the AREA LDAP plug-in. The AREA LDAP plug-in tries to connect to each of the configurations according to the order specified until the authentication is successful. To change the order in which authentication is attempted for the configurations, click Decrease Order or Increase Order on the AREA LDAP Configuration form.

Perform the following steps:

  1. Log in to Mid Tier.
  2. Select AR System Administration > AR System Administration Console
  3. Select System > LDAP > AREA Configuration.
  4. In the AREA LDAP Configuration form, click Clear Fields.
    All fields on the form are cleared.
  5. Click DeSelect All.
    The highlights on the configurations listed in the Configuration List section are removed.
  6. In the Configuration Detail section, under the Directory Service Information and Defaults and Mapping Attributes to User Information subsections, add new information.
  7. Click Save Current Configuration.
    A new configuration is added for the AREA LDAP plug-in.

To delete configurations for the AREA LDAP plug-in

  1. Log in to Mid Tier.
  2. Select AR System Administration > AR System Administration Console
  3. Select System > LDAP > AREA Configuration.
    The AREA LDAP Configuration form is displayed.
  4. In the Configuration List, select the configuration that you want to delete.

  5. Click Delete Configuration.

    The system removes the corresponding parameters from the AR System configuration settings.

  6. For the changes to take effect, restart your AR System server.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*